Cookies/Sessions: Why is LimeSurvey using the default sessionname?

More
4 months 22 hours ago #164481 by jelo
jelo created the topic: Cookies/Sessions: Why is LimeSurvey using the default sessionname?
LS 3 is creating two session cookies.
Name	PHPSESSID (taken from php.ini)
Value	11c93...(etc.)
Host	host.domain.tld
Path	/
Expires	At end of session
Secure	Yes
HttpOnly	Yes
Name	YII_CSRF_TOKEN
 
 
Name	YII_CSRF_TOKEN
Value	SlBXd....(etc.)
Host	host.domain.tld
Path	/
Expires	At end of session
Secure	Yes
HttpOnly	No

Issues around sessions with multiple installations (can be your own space or on shared server with shared session storage) can be the result of the current behavior.

Wouldn't it be better to change the default behavior?
1. Recognize the path and set the path in the cookie.
LS is ignoring the path. If you have two installations in different paths, the cookies are the same.
You cannot stay logged in both LS installations.
2. Set a session-name (not using the default name)
secure.php.net/manual/en/session.configu...php#ini.session.name
3. Add a unique part (for every installation) to the names.

Example Nextcloud:
Name	nc_sameSiteCookielax
Value	true
Host	host.domain.tld
Path	/yourinstallation
Expires	Fri, 31 Dec 2100 23:59:59 GMT
Secure	Yes
HttpOnly	Yes
 
Name	nc_sameSiteCookiestrict
Value	true
Host	host.domain.tld
Path	/yourinstallation
Expires	Fri, 31 Dec 2100 23:59:59 GMT
Secure	Yes
HttpOnly	Yes
 
Name	oc3d172roqs9  (unique name)
Value	68899..(etc.)
Host	host.domain.tld
Path	/yourinstallation
Expires	At end of session
Secure	Yes
HttpOnly	Yes

Please Log in or Create an account to join the conversation.

More
3 months 2 weeks ago #165027 by DenisChenu
DenisChenu replied the topic: Cookies/Sessions: Why is LimeSurvey using the default sessionname?
You can set yourself what you want in config.php file.
manual.limesurvey.org/Optional_settings#Session_settings

I really think session name/path etc … are something related to server, not tool : then it's server admin part.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in or Create an account to join the conversation.

More
3 months 2 weeks ago #165034 by jelo
jelo replied the topic: Cookies/Sessions: Why is LimeSurvey using the default sessionname?

DenisChenu wrote: I really think session name/path etc … are something related to server, not tool : then it's server admin part.

Choosing a default value is a very important thing. The question "Why is LimeSurvey using default sessionname" is still unanswered.

Please Log in or Create an account to join the conversation.

More
3 months 2 weeks ago - 3 months 2 weeks ago #165035 by DenisChenu
DenisChenu replied the topic: Cookies/Sessions: Why is LimeSurvey using the default sessionname?
By default : LimeSurvey CHOOSE default sessionname set by server admin …

Then : i think really it's OK. php.ini can set anything on sessioname , even by hostname …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Last Edit: 3 months 2 weeks ago by DenisChenu.

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!